Configure FlexConfig Objects

Use FlexConfig objects to define a configuration to be deployed to a device. Each FlexConfig policy is composed of a list of FlexConfig objects, so the objects are essentially code modules composed of Apache Velocity scripting commands, ASA software configuration commands, and variables.

There are several predefined FlexConfig objects that you can use directly, or you can make copies if you need to edit them. You can also create your own objects from scratch. A FlexConfig object’s content can range from a single simple command string to elaborate CLI command structures that use variables and scripting commands to deploy commands whose content can differ from device to device or deployment to deployment.

You can also create FlexConfig policy objects when defining FlexConfig policies.

Before you begin

Keep the following in mind:

  • FlexConfig objects translate into commands that are then deployed to the device. These commands are already issued in global configuration mode. Therefore, do not include the enable and configure terminal commands as part of the FlexConfig object.

  • Determine what types of variables you will need, and create any policy objects that you will require. You cannot create objects for variables while editing a FlexConfig object.

  • Ensure that your commands do not conflict in any way with the VPN or access control configuration on the devices.

  • If there is more than one set of commands for an interface, only the last set of commands is deployed. Therefore, we recommend you not use beginning and ending commands to configure interfaces. For an example of configuring interfaces, see the ISIS_Interface_Configuration predefined FlexConfig object.

Procedure


Step 1

Choose Objects > Object Management.

Step 2

Choose FlexConfig > FlexConfig Object from the list of object types.

Step 3

Do one of the following:

  • Click Add FlexConfig Object to create a new object.

  • Click Edit (edit icon) to edit an existing object.

  • Click View (View button) to see the contents of a predefined object.

  • If you want to edit a predefined object, click Copy (copy icon) to create a new object with the same contents.

Step 4

Enter a Name and optionally, a description for the object.

Step 5

In the object body area, enter the commands and instructions to produce the required configuration.

The object content is a sequence of scripting commands and configuration commands that generate a valid ASA software command sequence. The FTD device uses ASA software commands to configure some features. For more information on scripting and configuration commands, see:

You can use variables to supply information that can be known only at runtime, or which can differ from device to device. You simply type in processing variables, but you must use the Insert menu to add variables that are associated with policy objects or system variables, or which are secret keys. For a complete discussion of variables, see FlexConfig Variables.

  • To insert system variables, choose Insert > Insert System Variable > Variable Name. For a detailed explanation of these variables, see FlexConfig System Variables.

  • To insert policy object variables, choose Insert > Insert Policy Object > Object Type, selecting the appropriate type of object. Then, give the variable a name (which can be the same name as the associated policy object), select the object to associate with the variable, and click Save. For a detailed explanation of these types, see FlexConfig Policy Object Variables. For more detail on the procedure, see Add a Policy Object Variable to a FlexConfig Object.

  • To insert secret key variables, choose Insert > Secret Key and define the variable name and value. For more detail on the procedure, see Configure Secret Keys.

Note

You must use the Insert menu to create a new policy object or system variable. However, for subsequent uses of that variable, you must type it in, $ included. This is also true for system variables: the first time you use it, add it from the Insert menu. Then, type it out for subsequent uses. If you use the Insert menu more than once for a system variable, the system variable is added to the Variables list multiple times, and the FlexConfig will not validate, meaning you cannot save your changes. For processing variables (those not associated with a policy object or system variable), simply type in the variable. If you are adding a secret key, always use the Insert menu. Secret key variables do not show up in the Variables list.

Step 6

Choose the deployment frequency and type.

  • Deployment—Whether to deploy the commands in the object Once or Everytime. The only way to choose the right option is to test the results of deployment.

    Start by selecting Everytime. Then, after you attach the object to a FlexConfig policy, deploy the configuration. After a successful deployment, come back to the FlexConfig policy and preview the configuration for one of the assigned devices as described in Preview the FlexConfig Policy. If the section labeled ###CLI generated from managed features ### contains commands that clear or negate the commands in the object, and the ###Flex-config Appended CLI ### section contains the commands to reconfigure the feature, you know that Everytime is the right option.

    Even if you do not see negate commands, make some minor change to the device configuration, then run another deployment. If the deployment completes successfully, you can check the deployment transcript (see Verify the Deployed Configuration). If you see that the commands were issued again (even when they were already configured) without error, then you can keep Everytime.

    Change to Once only if the system does not first negate the commands in the object before issuing them again, or if the deployment results in errors that are specific to the command. In some cases, the system does not allow you to issue a command that is already configured, but this is the exception.

    Some additional tips:

    • If the FlexConfig object points to system-managed objects such as network or ACL objects, choose Everytime. Otherwise, updates to the objects might not get deployed.

    • Use Once if the only thing you do in the object is to clear a configuration. Then, remove the object from the FlexConfig policy after the next deployment.

  • Type—Select one of the following:

    • Append—(The default.) Commands in the object are put at the end of the configurations generated from the Cisco Defense Orchestrator policies. You must use Append if you use policy object variables, which point to objects generated from managed objects. If commands generated for other policies overlap with those specified in the object, you should select this option so your commands are not overwritten. This is the safest option.

    • Prepend—Commands in the object are put at the beginning of the configurations generated from the Cisco Defense Orchestrator policies. You would typically use prepend for commands that clear or negate a configuration.

Step 7

(Optional.) Click Validate above the object body to check the integrity of the script.

The object is always validated when you click Save. You cannot save an invalid object.

Step 8

Click Save.


What to do next

  • If an active policy references your object, deploy configuration changes;; see Deploy Configuration Changes in the ; see Deploy Configuration Changes.